Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Splunk Search

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How apply a stats sum with a where condition?

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted
Need to sum a field value with a condition. For example, every log contains a field value pair "failedcount" with integer values, I want to sum up the failedcount only when other field "servertype" is equal to "bot" or "web". So I want two columns with botfailedcount( sum of failedcount where servertype=bot) and webfailedcount ( sum of failedcount where servertype=web)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

intelsubham

Explorer

04-20-2016
09:39 AM

1 Solution

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How apply a stats sum with a where condition?

sundareshr

Legend

04-20-2016
09:41 AM

Try this

```
... | stats sum(failedcount) as botfailedcount by servertype
```

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

sideview

SplunkTrust

04-20-2016
09:52 AM

1) Since you want to split the servertype as your two columns, you need the chart command and it's "split by" argument. By a silly quirk, the chart command demands to have *some* field as the "group by" field so here we just make one and then throw it away after.

```
( servertype=bot OR servertype=web) | eval foo=1 | chart sum(failedcount) over foo by servertype | fields - foo
```

2) The other way is to use stats and then use xyseries to turn the "stats style" result set into a "chart style" result set, however we still have to do the same silly trick.

```
( servertype=bot OR servertype=web) | stats sum(failedcount) as count by servertype | eval foo="1" | xyseries foo servertype count | fields - foo
```

3) OR, you could make two separate count fields with the eval command, and then just use stats.

```
( servertype=bot OR servertype=web) | eval webFails=if(servertype="web",failedcount,null()) | eval botFails=if(servertype="bot",failedcount,null()) | stats sum(webFails) as webFailures sum(botFails) as botFailures
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: How apply a stats sum with a where condition?

intelsubham

Explorer

04-20-2016
11:21 AM

Thanks Sideview, I was looking for the third one.